LinkedIn spam, exploits and Zeus: a deadly combination ?

1 minute read

Is this the perfect recipe for a cybercriminal ?:

  1. Hacking LinkedIn’s password (and possibly user-) database.
  2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
  3. A user unawarely clicking on the link.
  4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
  5. User’s computer is now a zombie (part of a botnet).

I would definitely say YES.
A reader of my blog contacted me today, he had received an email from LinkedIn which was looking phishy. We can verify that Step 1 is accomplished, by the simple fact that in the “To” and/or “CC” field of the email below, there are about ~100 email addresses. A quick look-up of a few of them on LinkedIn reveals the unconvenient truth…
Here’s the email in question:

ss

Subjects of this email might be:
“Relationship LinkedIn Mail‏”, “Communication LinkedIn Mail‏”, “Link LinkedIn Mail” or “Urgent LinkedIn Mail‏”. No doubt the subjects of this email will vary, and are not limited to these four.
Step 1 and step 2 of the cybercrook’s scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.
Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer:

  • Adobe Reader
  • Java

In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens. In unfortunate cases, the exploit will begin doing its work. As said before, a mixed flavor of Adobe & Java exploits are used.
In this case, we will review the specific Adobe exploit. We will check with Process Explorer what exactly is happening:

ss2

Continue Reading here: http://bartblaze.blogspot.com/2012/06/linkedin-spam-exploits-and-zeus-deadly.html

Leave a comment